Wrong rule number in pflog with anchors

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Wrong rule number in pflog with anchors

trondd-2
If you have an anchor in your pf ruleset, a packet that matches a rule
with a log directive will reflect the rule number of the last anchor
definition instead of the rule that caused the logging.

My first rule in pf.conf is 'block log (all) all'.  In 6.1, packets
matching the block rule will show rule 1 as the matching rule.  Since 6.2
and in current (not sure when during 6.2's development this started) the
same blocked packet will show the rule number of the last anchor in the
ruleset as the matching rule.


This is what I expact, and do get when no anchor is defined:

root@portabsd:~$ pfctl -sr -R1
block return log (all) all

root@portabsd:~$ tcpdump -nettti pflog0 action block
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Oct 11 20:43:58.834603 rule 1/(match) block in on iwm0: 192.168.1.3.5353 >
224.0.0.251.5353: 0 [17q][|domain]
Oct 11 20:43:58.837980 rule 1/(match) block in on iwm0:
fe80::8c2:5295:cd0e:f5e4.5353 > ff02::fb.5353: 0 [17q][|domain] [flowlabel
0x84d6b]
Oct 11 20:44:18.233207 rule 1/(match) block in on iwm0: 192.168.1.3.52286
> 192.168.1.15.445: S 176378676:176378676(0) win 65535 <mss
1460,nop,wscale 5,nop,nop,timestamp 2314135130 0,[|tcp]> (DF) [tos 0x10] ^C
3 packets received by filter
0 packets dropped by kernel


Add a bogus 'anchor "test"' to the bottom of pf.conf and reload.  Hit the
system with blockable traffic again:

root@portabsd:~$ tcpdump -nettti pflog0 action block
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Oct 11 20:44:50.038509 rule 43/(match) block in on iwm0: 192.168.1.3.52289
> 192.168.1.15.445: SWE 3438533119:3438533119(0) win 65535 <mss
1460,nop,wscale 5,nop,nop,timestamp 2314166871 0,[|tcp]> (DF) [tos 0x10] ^C
1 packets received by filter
0 packets dropped by kernel

root@portabsd:~$ pfctl -sr -R1
block return log (all) all

root@portabsd:~$ pfctl -sr -R 43
anchor "test" all


My cleaned up pf.conf used in the above reproductions:

wan_services = "{ http https pop3s imaps smtps whois 11371 ssh 53589 8008 }"
set skip on { lo enc }
match in all scrub (no-df random-id reassemble tcp)
set block-policy return
block log (all) all
antispoof quick for egress
vm_net = "{ 10.10.10.0/24 }"
match out on egress inet from $vm_net to any nat-to (egress:0)
pass in quick on vether0 from $vm_net to any
pass out quick proto { tcp udp } to 192.168.1.1 port 53
pass out quick proto tcp to any port { 6667 6697 } user irc
block out quick proto { udp tcp } user irc
pass out quick proto tcp to any port $wan_services
pass out quick proto { udp } to any port 123
pass quick proto udp to any port { 67 68 }
pass out quick proto icmp all
pass quick inet proto icmp all icmp-type unreach code needfrag
pass out quick proto udp to port 33433 >< 33626
block in quick from 192.168.1.1 to 224.0.0.1
vpn_dest = "{ xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx }"
pass in on egress proto esp from $vpn_dest to (self)
pass out on egress proto esp from (self) to $vpn_dest
pass in on egress proto udp from $vpn_dest to (self) port { isakmp
ipsec-nat-t }
pass out on egress proto udp from (self) to $vpn_dest port { isakmp
ipsec-nat-t }
pass in log quick proto tcp from 192.168.1.0/24 to (self) port ssh pass
quick on egress proto tcp to any port 22000
anchor "test"







Reply | Threaded
Open this post in threaded view
|

Re: Wrong rule number in pflog with anchors

trondd-2
"trondd" <[hidden email]> wrote:

> If you have an anchor in your pf ruleset, a packet that matches a rule
> with a log directive will reflect the rule number of the last anchor
> definition instead of the rule that caused the logging.
>
> My first rule in pf.conf is 'block log (all) all'.  In 6.1, packets
> matching the block rule will show rule 1 as the matching rule.  Since 6.2
> and in current (not sure when during 6.2's development this started) the
> same blocked packet will show the rule number of the last anchor in the
> ruleset as the matching rule.
>

I found that this was introduced in R1.1024 of pf.c which makes sense given
that the commit reworks anchor stacks.

A simplified pf.conf to demonstrate what I am seeing:

set skip on lo
block log all
pass out proto { udp tcp } to any port { ssh http https domain }
anchor "test"

Tim.

>
> This is what I expact, and do get when no anchor is defined:
>
> root@portabsd:~$ pfctl -sr -R1
> block return log (all) all
>
> root@portabsd:~$ tcpdump -nettti pflog0 action block
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> Oct 11 20:43:58.834603 rule 1/(match) block in on iwm0: 192.168.1.3.5353 >
> 224.0.0.251.5353: 0 [17q][|domain]
> Oct 11 20:43:58.837980 rule 1/(match) block in on iwm0:
> fe80::8c2:5295:cd0e:f5e4.5353 > ff02::fb.5353: 0 [17q][|domain] [flowlabel
> 0x84d6b]
> Oct 11 20:44:18.233207 rule 1/(match) block in on iwm0: 192.168.1.3.52286
> > 192.168.1.15.445: S 176378676:176378676(0) win 65535 <mss
> 1460,nop,wscale 5,nop,nop,timestamp 2314135130 0,[|tcp]> (DF) [tos 0x10] ^C
> 3 packets received by filter
> 0 packets dropped by kernel
>
>
> Add a bogus 'anchor "test"' to the bottom of pf.conf and reload.  Hit the
> system with blockable traffic again:
>
> root@portabsd:~$ tcpdump -nettti pflog0 action block
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> Oct 11 20:44:50.038509 rule 43/(match) block in on iwm0: 192.168.1.3.52289
> > 192.168.1.15.445: SWE 3438533119:3438533119(0) win 65535 <mss
> 1460,nop,wscale 5,nop,nop,timestamp 2314166871 0,[|tcp]> (DF) [tos 0x10] ^C
> 1 packets received by filter
> 0 packets dropped by kernel
>
> root@portabsd:~$ pfctl -sr -R1
> block return log (all) all
>
> root@portabsd:~$ pfctl -sr -R 43
> anchor "test" all
>
>
> My cleaned up pf.conf used in the above reproductions:
>
> wan_services = "{ http https pop3s imaps smtps whois 11371 ssh 53589 8008 }"
> set skip on { lo enc }
> match in all scrub (no-df random-id reassemble tcp)
> set block-policy return
> block log (all) all
> antispoof quick for egress
> vm_net = "{ 10.10.10.0/24 }"
> match out on egress inet from $vm_net to any nat-to (egress:0)
> pass in quick on vether0 from $vm_net to any
> pass out quick proto { tcp udp } to 192.168.1.1 port 53
> pass out quick proto tcp to any port { 6667 6697 } user irc
> block out quick proto { udp tcp } user irc
> pass out quick proto tcp to any port $wan_services
> pass out quick proto { udp } to any port 123
> pass quick proto udp to any port { 67 68 }
> pass out quick proto icmp all
> pass quick inet proto icmp all icmp-type unreach code needfrag
> pass out quick proto udp to port 33433 >< 33626
> block in quick from 192.168.1.1 to 224.0.0.1
> vpn_dest = "{ xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx }"
> pass in on egress proto esp from $vpn_dest to (self)
> pass out on egress proto esp from (self) to $vpn_dest
> pass in on egress proto udp from $vpn_dest to (self) port { isakmp
> ipsec-nat-t }
> pass out on egress proto udp from (self) to $vpn_dest port { isakmp
> ipsec-nat-t }
> pass in log quick proto tcp from 192.168.1.0/24 to (self) port ssh pass
> quick on egress proto tcp to any port 22000
> anchor "test"